Securing APIs is many things, but not easy. With the increasing reliance on microservices and cloud applications, web-based APIs are becoming increasingly important to the digital strategy of various companies. The only thing that is growing faster than API integration is the amount of API attack traffic, which has recently grown three times as fast as the overall API traffic.
This chilling statistic comes to no surprise, regarding the fact that APIs are often in the blind spot of application security testing methods. In this article, I want to present three reasons why modern white-box testing approaches that are based on fuzzing can help you get to these blind spots to build unbreakable API endpoints.
Modern application security testing platforms and tools enable developers to implement continuous testing cycles into their CI/CD environment. In most cases, those can be configured to conduct automated fuzz tests on each pull request to ensure that code is secure before it is merged. With a few adjustments, fuzzers can even be set up to run security tests on each code change. Since many fuzzing solutions offer a high degree of automation, no expert knowledge is required to operate them.
Below, you can find an example of vulnerabilities in the deliberately insecure WebGoat toy project. Most of the countless vulnerabilities hidden all over the place are the typical OWASP pitfalls, including SQL Injections, XSS-Scenarios, etc. A more detailed bug reporting explaining the results from fuzzing in WebGoat can be found here.
Code coverage is one of the most important metrics in application security testing. Without information about the code covered in a test, it becomes difficult to interpret test findings. Modern fuzzing platforms allow for precise code-coverage visibility, as they provide information about the exact percentage of code covered in a test.
After a vulnerability or bug is found, modern fuzzers can automatically classify its severity and provide full log information. Since dynamic application security testing (DAST) and interactive application security testing (IAST) tools actually execute the software and feed inputs into the API, most of those tools can identify the input causing the crash. This allows developers to easily debug findings, as they can observe exactly how their application interacts with the crashing input. To ensure that this proceeds as frustration-free as possible, the ideal tool is able to set break-points based on the stacktrace leading to the vulnerability.
Implementing modern fuzzing will enable you to build a reliable, fully-automated testing-cycle, that provides code-coverage visibility and simplifies your debugging efforts. If you want to see how all of the above can be implemented practically, feel free to join our live coding session on November 30th. At the event, Daniel Teuchert who is one of our REST API security experts will demonstrate how you can automate your REST API testing in 5 easy steps.